<?php
$ArrFiltrate=array(
	"'"		,
	";"		,
	"union"	,
	
	";"		,
	
	//"and"	,
	//"from"	,
	"where"	,
	"insert",
	"update",
	'"'		,
	"write"	,
	"-"		,
	"<"		,
	">"		,
	"%"
	);

//出错后要跳转的url,不填则默认前一页

$StrGoUrl="";


//是否存在数组中的值
function FunStringExist($StrFiltrate,$ArrFiltrate)
{
	foreach ($ArrFiltrate as $key=>$value)
	{
		//if ( eregi( strtolower($value), strtolower($StrFiltrate) ))
		//{
				//return true;
		//}
	}
	return false;
}


//合并$_POST 和 $_GET
if(function_exists('array_merge'))
{
	$ArrPostAndGet=array_merge($_POST,$_GET);
}
else
{
	foreach($_POST as $key=>$value)
	{
	$ArrPostAndGet[]=$value;
	}

	foreach($_GET as $key=>$value)
	{
	$ArrPostAndGet[]=$value;
	}
}

//验证开始
foreach($ArrPostAndGet as $key=>$value)
{
	if (FunStringExist($value,$ArrFiltrate))
	{
		//写记录到文本或数据库
		$recordshtml = file_get_contents(DIR_ROOT_P.'/html/postrecords.html');
		$dt = date('Y-m-d H:i:s',time());
		$ip = $_SERVER['REMOTE_ADDR'];
		$s = (isset($_SESSION['memberinfo']))?$_SESSION['memberinfo']:"no session";

		$recordshtml .= "ip:$ip----date:$dt----s:$s----post:$value <br /><hr /> \r\n " ;
		file_put_contents(DIR_ROOT_P.'/html/postrecords.html',$recordshtml);
		//end

		exit("<script language=\"javascript\">alert('发现非法字符".$value." ， 你的IP我们已经记录 。请不要做非法尝试！');window.history.go(-1);</script>");
	}
}
?>